A recent report by Datadog’s State of Cloud Security 2024 revealed that nearly half of organizations, about 46%, have unmanaged users with long-lived credentials in cloud services. These long-lived credentials are authentication tokens or keys that remain valid for an extended period, making them a prime target for attackers seeking to compromise data.
With these credentials, attackers can gain persistent access to cloud services, potentially putting sensitive information at risk. The report highlighted that long-lived credentials are prevalent across major cloud service providers such as Google Cloud, Amazon Web Services (AWS), and Microsoft Entra.
Furthermore, the study found that many of these credentials are not only old but also unused. Approximately 60% of Google Cloud service accounts, 60% of AWS Identity and Access Management (IAM) users, and 46% of Microsoft Entra ID applications have access keys older than one year. These outdated credentials present a significant security risk for organizations.
Andrew Krug, Head of Security Advocacy at Datadog, emphasized the importance of organizations having a strategy to mitigate the risks associated with long-lived credentials. He emphasized the need for modern authentication mechanisms, short-lived credentials, and active monitoring of API changes commonly exploited by attackers to protect against cloud security incidents.
In addition to the risks posed by long-lived credentials, the report also highlighted the prevalence of risky cloud permissions among organizations. Approximately 18% of AWS EC2 instances and 33% of Google Cloud VMs have sensitive permissions to a project, increasing the likelihood of damaging breaches if compromised.
Moreover, 10% of third-party integrations were found to have risky cloud permissions that could allow vendors to access all data in the account or potentially take over the entire account. The report also identified that 2% of third-party integration roles do not enforce the use of External IDs, leaving them vulnerable to “confused deputy” attacks where a less privileged entity can coerce a more privileged entity to perform actions on its behalf.
Despite these concerning findings, there has been an increase in the adoption of cloud guardrails over the past year. For instance, 79% of S3 buckets are now covered by an account-wide or bucket-specific S3 Public Access Block, up from 73% in 2023. This trend is attributed to cloud providers enabling guardrails by default, signaling a positive step towards enhancing cloud security practices.
Overall, the report underscored the importance for organizations to prioritize the management of long-lived credentials, implement strong authentication measures, and regularly review and update permissions to mitigate risks associated with cloud security breaches. By proactively addressing these vulnerabilities, organizations can enhance their overall cybersecurity posture and protect against potential threats in the cloud environment.